RE: RPC Scan Issues

From: Hussein Ghazy (hussein.ghazy_at_mibank.com.eg)
Date: 10/16/03

  • Next message: Philipp, Roland: "RE: Blocking and allowing ActiveX"
    To: <larobins@bellatlantic.net>, "'Anderson, Kelly'" <kjanders@umich.edu>, <focus-ms@securityfocus.com>
    Date: Thu, 16 Oct 2003 16:33:44 +0200
    
    

    Dear Sir,

    To Turn off the DCOM, follow this steps:

    Open the run & type dcomcnfg then enter

    Then choose Component Services then right click on my computer & choose
    properties

    Choose the Default Properties TAB

    Then Uncheck Enable Distributed Com on this computer.

    Done

    Thanks & Best Regards
    Hussein Ghazy
    Security Specialist
    Misr International Bank

    -----Original Message-----
    From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
    Sent: 15 October 2003 20:12
    To: 'Anderson, Kelly'; focus-ms@securityfocus.com
    Subject: RE: RPC Scan Issues

    I've had every one of them throw false results. At least it's better
    than nothing. :-)

    Laura

    > -----Original Message-----
    > From: Anderson, Kelly [mailto:kjanders@umich.edu]
    > Sent: Wednesday, October 15, 2003 10:02 AM
    > To: focus-ms@securityfocus.com
    > Subject: RE: RPC Scan Issues
    >
    >
    > To throw my 2-cents into the ring...I've personally found
    > that the Retina scanner throws false positives also.
    > However, I have yet to have the most current MS scanner give
    > me an error. Thus far, the MS scanner has been the most
    > reliable for me. But, you must be vigilant to have the most
    > current scanner and signatures so that you can eliminate
    > potential errors.
    >
    > So, that said, based on Jerry's response, I would venture to
    > say that none of the scanners are 100% and for the more
    > serious patches (e.g.,
    > MS03-039) you need to double check the file names, sizes,
    > dates, reg entries, etc.
    >
    >
    > - Kelly
    >
    > ********************************************
    > Kelly J. Anderson, MCSE
    > Windows 2000 Infrastructure
    > University of Michigan
    > http://www.umich.edu/~lannos/win2000
    > ********************************************
    >
    >
    >
    > -----Original Message-----
    > From: Jerry Heidtke [mailto:jheidtke@fmlh.edu]
    > Sent: Tuesday, October 14, 2003 3:09 PM
    > To: Thaddeus McNamara; focus-ms@securityfocus.com
    > Subject: RE: RPC Scan Issues
    >
    >
    > The MS scanner is so inaccurate as to be useless. In my
    > experience, the Retina scanner is 100% accurate.
    >
    > You may find systems that had the patch installed through
    > windowsupdate, but show up in a scan as still vulnerable.
    > Every case I've seen of this, the patch was not installed
    > completely and needs to be reinstalled. The registry will
    > indicate that the patch is installed (this is all that WU
    > checks), the uninstall directory exists with the correct old
    > files in it, but the files in use never got replaced with the
    > new ones.
    >
    > You cannot turn off RPC and expect a Windows system to work.
    > Despite being called "Remote Procedure Call", many local
    > functions depend on RPC to work (minor things like event
    > logging, registry access, file property reading, and authentication).
    >
    > You may be able to turn off DCOM, which is a specialized
    > service that operates over RPC, and where the particular
    > vulnerabilities exist. You can't do this on a domain
    > controller or Exchange server, probably can't do it on a SQL
    > Server box, and there are likely other specialized services
    > that require DCOM. You can try this with the standard
    > "dcomcnfg.exe", or by using third-party utilities such as the
    > one at www.grc.com, or by making a single registry change. Be
    > aware that if it doesn't work, you probably need to
    > physically touch the box to get it working again.
    >
    > The firewall will not be enough, unless you have absolute
    > control over every device that might ever be connected to the
    > network behind the firewall. We've had seven cases where
    > people brought in laptops that were infected with
    > Nachia/Welchia, which proceeded to try to scan our entire
    > class B address range looking for vulnerable systems to
    > infect, which it can do in less than 10 minutes if we don't
    > null route it and disable the network port first. In spite of
    > having good immediate automatic detection and alerting based
    > on Nachia-generated traffic, our response still happens in
    > human-scale time frames, which leaves plenty of opportunity
    > for mischief. There's no reason to believe the next worm will
    > be less aggressive or less efficient...
    >
    > You best defense is to patch.
    >
    > -----Original Message-----
    > From: Thaddeus McNamara [mailto:tk@coast-radio.com]
    > Sent: Tuesday, October 14, 2003 11:58 AM
    > To: 'focus-ms@securityfocus.com'
    > Subject: RPC Scan Issues
    >
    >
    > After reading there's yet another RPC exploit code in the
    > wild, I double checked my LANs with both the MS DCOM scanner
    > (KB824146Scan) and the Retina RPC DCOM scanner and got very
    > different results. A few of the machines I know are NOT
    > patched and others are Fully patched.
    >
    > 1. Is it possible they aren't patched properly?
    > 2. Should I be getting such different results?
    > 3. Should I or can I turn off RPC?
    > 4. Will the firewall be enough?
    >
    > Thadd McNamara
    > IT Director
    > Coast Radio Co., Inc.
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > Visual & Easy-to-use are not words that you think of when
    > talking about
    > network analyzers. Need to share problem information with
    > colleagues that
    > do not read packets?
    >
    > Download ClearSight Networks Analyzer and see a new network
    > analysis tool
    > that makes the complex - easy
    > http://www.securityfocus.com/sponsor/ClearSightNetworks_focus-
    ms_031006
    ------------------------------------------------------------------------

    ---
    Confidentiality Notice: This e-mail message, including any attachments,
    is for the sole use of the intended recipient(s) and may contain
    confidential and privileged information.  Any unauthorized review, use,
    disclosure or distribution is prohibited.  If you are not the intended
    recipient, please contact the sender by reply e-mail and destroy all
    copies of the original message.
    ------------------------------------------------------------------------
    ---
    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Need to share problem information with colleagues
    that
    do not read packets?
    Download ClearSight Networks Analyzer and see a new network analysis
    tool
    that makes the complex - easy
    http://www.securityfocus.com/sponsor/ClearSightNetworks_focus-ms_031006
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    Visual & Easy-to-use are not words that you think of when talking about
    network analyzers. Need to share problem information with colleagues
    that
    do not read packets?
    Download ClearSight Networks Analyzer and see a new network analysis
    tool
    that makes the complex - easy
    http://www.securityfocus.com/sponsor/ClearSightNetworks_focus-ms_031006
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    FREE Whitepaper: Better Management for Network Security
    Looking for a better way to manage your IP security?
    Learn how Solsoft can help you:
    - Ensure robust IP security through policy-based management
    - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    networks
    - Quickly respond to network events from a central console
    Download our FREE whitepaper at:
    http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    FREE Whitepaper: Better Management for Network Security
    Looking for a better way to manage your IP security?
    Learn how Solsoft can help you:
    - Ensure robust IP security through policy-based management
    - Make firewall, VPN, and NAT rules interoperable across heterogeneous
    networks
    - Quickly respond to network events from a central console
    Download our FREE whitepaper at:
    http://www.securityfocus.com/sponsor/Solsoft_focus-ms_031015 
    ---------------------------------------------------------------------------
    

  • Next message: Philipp, Roland: "RE: Blocking and allowing ActiveX"